Policy and Technology in Policy and Technology in Enterprise Directory and Enterprise Directory and Authentication ServicesAuthentication Services
No Room to Swing a CatNo Room to Swing a Cat
Michael Gettes, MACE, Duke UniversityKeith Hazelton, MACE, University of Wisconsin - MadisonCarrie Regenstein, University of Wisconsin - MadisonAnn West, NMI-EDIT Outreach, EDUCAUSE/Internet2
SERC, June 7, 2004
A Word from the sponsors: A Word from the sponsors: What is NSF interested in? What is NSF interested in?
Analogous to building the NSFnet NSF Middleware Initiative (NMI)
– Scientists and engineers can transparently use and share distributed resources, such as computers, data, and instruments
– Research and education communities can effectively collaborate using advanced communications tools
– Internet users around the world can benefit.
SERC, June 7, 2004
What is NMI-EDIT?What is NMI-EDIT?
NMI-Enterprise and Desktop Integration Technologies Consortium (NMI-EDIT)– Internet2, EDUCAUSE, and SURA– Project Goals
Create a common, persistent and robust core middleware infrastructure for the R&E community
Provide tools and services in support of inter-institutional and inter-realm collaborations
Focus on intra and inter-institutional identity and access management and related services
SERC, June 7, 2004
Range of Motion: Cat SwingingRange of Motion: Cat Swinging
Definition of key terms Context Strategies for success Moving it forward
SERC, June 7, 2004
Today’s goal: Focus on Today’s goal: Focus on people, people, service and functionality!service and functionality!
To support the synergistic relationship among technologists, policy folks, and administrators as an ongoing modus operandi (m.o.)
A perspective or methods of managing, deploying and maintaining future infrastructures, IT and more.
SERC, June 7, 2004
Key termsKey terms
Enterprise Directory Authentication Authorization
Taken together constitute
“Identity Management System” (IdM)
SERC, June 7, 2004
““Identity Management System”Identity Management System”
Suite of campus-wide security, access, and information services– Integrates data sources and manages
information about people and their contact locations
– Establishes electronic identity of users– Issues identity credentials– Uses administrative data and management
tools to assign affiliation attributes – …and gives permission to use services based
on those attributes
SERC, June 7, 2004
Key terms: Key terms: Enterprise Directory ServicesEnterprise Directory Services
Enterprise Directory Services - where electronic identifiers are reconciled and institutional identity is established and maintained for all entities of interest
–Very quick lookup function
–Machine address, voice mail box, email box location, address, campus identifiers
SERC, June 7, 2004
More key termsMore key terms
Authentication (AuthN)– Process of proving your identity by
“presenting” an identity credential – In IT systems, often done by a login
process Authorization (AuthZ)
– Process of determining if policy permits a requested action to proceed using attribute & group information
– Often associated with an authenticated identity, but not always and not necessarily
SERC, June 7, 2004
SERC, June 7, 2004
Context
SERC, June 7, 2004
Context: What’s the problem?Context: What’s the problem?
Accommodate increased demand for integration across traditional data sources
Deliver services to new populations Resolve tension between appropriate
privacy and security regulations
SERC, June 7, 2004
Context: Viewing anglesContext: Viewing angles
User view–One stop–Presentation similarities–Accurate data
Developer view–One source–Ease of development
SERC, June 7, 2004
Context: What happens?Context: What happens?
Traditional data sources integration
–Updating information
–How soon can we serve new staff, students?
–Adding individuals to identity management system
SERC, June 7, 2004
Context: What happens?Context: What happens?
New constituencies – Beyond faculty, staff, and students– Alumni, retirees, new kinds of learners– A portal for parents
Challenge to “the join” Can’t ask for the key linking attributes
like DoB Students vouch for them? Separate
DB??
SERC, June 7, 2004
Strategies for Success
SERC, June 7, 2004
Strategies for SuccessStrategies for Success
Know your environment
Establish core principles
Oversight
Real Life
Topics to consider
SERC, June 7, 2004
Strategies: Know your environment! Strategies: Know your environment! Guiding questionsGuiding questions
Is campus governance centralized or distributed?
How has central administration demonstrated commitment to policy leadership?
What partnerships are in place to support policy development among, e.g., IT, Legal, internal audit, police, Student Affairs?
SERC, June 7, 2004
Are there best practices already defined for your campus? Processes to create best practices?
Are there existing policies that just need to be interpreted to cover the e-World?
What resources are available to support policy development and implementation?
Strategies: Know your environment!Strategies: Know your environment! Guiding questionsGuiding questions
SERC, June 7, 2004
Strategies: Core principlesStrategies: Core principles
Guiding philosophy of new infrastructure Defined before design and implementation
phases Criticality of service: 24x7 operations. All apps
must be dir enabled? Rooted in view of data as a strategic resource
– Enterprise directory Link to all people of interest ..and all the needed identity information
SERC, June 7, 2004
Strategies: Core principlesStrategies: Core principles
Sample core principles– Data infrastructure serves more than one institutional
application– Data is protected and requires permission for its use
unless declared “public” by the data custodians or owners
– Access to private directory data must be granted for each application and be approved by the data custodians.
– Applications using that data should meet the security and data definition guidelines put forth by the technical service administrators.
– Data will be made available for all valid administrative and educational purposes
SERC, June 7, 2004
Strategies: OversightStrategies: Oversight
Oversight and ownership Data and technical service may be different Application and infrastructure may be different
– Create, read, update, and delete (CRUD)– On-going legal, source system, and policy
changes Requires business functions to be involved Requires changes in the infrastructure
SERC, June 7, 2004
Strategies: OversightStrategies: Oversight
Sample Oversight functions: Access and use of the data and compliance with
University policy Access and use of service for performance and
security implications Dissemination of directory maintenance
information and changes Documentation of applications and attribute use Changes in requirements, procedures, and
applications using the directory once per year
SERC, June 7, 2004
Strategies: People IssuesStrategies: People Issues
Whom did you include? Whom did you forget? In what order did you include them? What did you hope for or expect from
each one to bring to the table? Where are the more difficult
interactions/relationships?
SERC, June 7, 2004
Strategies: Real lifeStrategies: Real life
Cultural / technical assumptions vs. reality– “Public directories will be mined by
spammers” Honeypot: “Does it really happen?” Nope! (How we show data matters)
– Centralization vs. flexibility Distributed management tools Be careful what you ask for
–Most anything can be done -- cost??
SERC, June 7, 2004
Strategies: Topics - 1Strategies: Topics - 1
When should a policy be developed vs. a technical fix?
What are some strategies for creating polices on-the-fly? When should this be done?
How does a technical person know when a policy decision needs to be made?
SERC, June 7, 2004
Strategies: Topics - 2Strategies: Topics - 2
How might we modify services to encourage high-level customers/stakeholders to work more effectively on policy issues?
SERC, June 7, 2004
Strategies: Topics - 3Strategies: Topics - 3
What should we do with special cases or exceptions?
–Title entries in white pagesChancellor, Provost, VP, EVP, etc
–Vanity netIDs?
–Nicknames?
–Privacy opt-in, opt-out?
SERC, June 7, 2004
Moving it Forward
SERC, June 7, 2004
Forward: Applying what we learned?Forward: Applying what we learned?
Consider the problem, scope, and alternatives
–Big P Policies
–Little p policies
SERC, June 7, 2004
Big P policies– FERPA FERPA FERPA– USA Patriot Act
Policy supports compliance Practice includes guidelines for operational staff
– HIPAA Defining Health Care Components (HCCs) on
campus How can a central IT organization support
compliance?
Forward: Compliance with Federal regulations-Forward: Compliance with Federal regulations-Due Diligence and the central IT organizationDue Diligence and the central IT organization
SERC, June 7, 2004
Forward: Compliance with State regulations-Forward: Compliance with State regulations-Due Diligence and the central IT organizationDue Diligence and the central IT organization
Big P policies
–Electronic Records Management
–Education and communication
Example:
http://archives.library.wisc.edu/rm/rechome.htm
SERC, June 7, 2004
Forward: Core principlesForward: Core principles
Big P policies
–Data and service as strategic resources
–Data and service ownership and stewardship
–Use of infrastructure
–Attribute privacy
SERC, June 7, 2004
Forward: Local considerationsForward: Local considerations
Little p policies– Relates to environment, role, and culture
NetID –Assignment, self-selection, activation,
password management Physical access security (devices)
–Assignment, activation, and implementation
Others?
SERC, June 7, 2004
ResourcesResources
www.nmi-edit.org/roadmap
middleware.internet2.edu www.cit.cornell.edu/oit/PolicyOffice.html EDUCAUSE/Cornell Institute for
Computer Policy and Law • www.educause.edu/icpl/
SERC, June 7, 2004 end